Global Privacy Frameworks & Laws Reference

Global Privacy Frameworks & Data Protection Laws Reference

Comprehensive reference of 30 privacy frameworks and data-protection laws — covering GDPR, CCPA/CPRA, HIPAA, Brazil's LGPD, China's PIPL, Japan's APPI, ISO 27701, Canada's PIPEDA, and regional equivalents.

• GDPR (EU) — General Data Protection Regulation: lawful basis, data subject rights, DPA obligations, and cross-border transfers
• CCPA/CPRA (California) — consumer privacy rights, opt-out requirements, and sensitive personal information rules
• HIPAA (US Healthcare) — Protected Health Information (PHI) safeguards, breach notification, and Business Associate Agreements
• LGPD (Brazil) — Lei Geral de Proteção de Dados: data subject rights and DPA obligations
• PIPL (China) — Personal Information Protection Law: cross-border transfer restrictions and consent requirements
• ISO 27701 — Privacy Information Management System (PIMS) extension to ISO 27001

GDPR: The World's Most Influential Privacy Regulation

The EU General Data Protection Regulation (GDPR), in force since May 2018, is the global benchmark for privacy legislation — its extraterritorial reach (applying to any organisation processing EU residents' personal data regardless of location), severe enforcement penalties (up to 4% of global annual turnover), and comprehensive data subject rights have made it the reference point that privacy laws in over 130 countries have been modelled on or compared against. Core GDPR obligations include identifying a lawful basis for each processing activity, respecting data subject rights (access, rectification, erasure, portability, objection), appointing a Data Protection Officer where required, and implementing technical and organisational security measures appropriate to the processing risk.

• Lawful basis requirement — one of six lawful bases must apply to every personal data processing activity
• Data subject rights — access, rectification, erasure, restriction, portability, and objection rights for EU data subjects
• DPO requirement — mandatory Data Protection Officer for public authorities and certain high-risk processing activities
• 72-hour breach notification — personal data breaches reported to supervisory authority within 72 hours of discovery
• Fines — up to €20 million or 4% of global annual turnover (whichever is higher) for serious violations

CCPA/CPRA: California's Comprehensive Consumer Privacy Law

The California Consumer Privacy Act (CCPA), amended and strengthened by the California Privacy Rights Act (CPRA), is the most comprehensive US state privacy law — creating rights for California consumers that include the right to know what personal information is collected, the right to delete, the right to opt-out of sale or sharing, the right to correct, and the right to limit the use of sensitive personal information. The CPRA created the California Privacy Protection Agency (CPPA) as the dedicated enforcement authority and added obligations around data retention, contractor obligations, and annual cybersecurity audits for organisations meeting a high-risk threshold. Multiple other US states have enacted similar laws, creating a growing patchwork of state-level privacy requirements.

• Right to know — consumers can request disclosure of personal information collected, used, disclosed, and sold
• Right to opt-out of sale/sharing — consumers can prohibit the sale or sharing of personal information for targeted advertising
• Sensitive personal information — additional rights and restrictions for SSN, health data, biometric data, and financial data
• Data retention requirements — personal information retention must be limited to what is reasonably necessary
• CPPA enforcement — dedicated enforcement agency with authority to investigate, audit, and fine covered businesses

HIPAA: US Healthcare Privacy and Security Requirements

The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules govern the protection of Protected Health Information (PHI) by covered entities (healthcare providers, health plans, clearinghouses) and their business associates (vendors with access to PHI). The Privacy Rule defines permitted uses and disclosures of PHI and establishes patient rights. The Security Rule defines administrative, physical, and technical safeguards for electronic PHI. Business Associate Agreements (BAAs) must be in place with every vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity — making HIPAA compliance a supply chain obligation as well as an internal one.

• Covered entity scope — healthcare providers, health plans, and healthcare clearinghouses subject to HIPAA rules
• Business Associate Agreements — mandatory contracts with all vendors having access to protected health information
• Minimum necessary standard — PHI access and use limited to the minimum necessary for the intended purpose
• HIPAA Security Rule — administrative, physical, and technical safeguards for electronic PHI
• Breach notification rule — breaches of unsecured PHI reported to OCR, affected individuals, and optionally media

Asia-Pacific Privacy Laws: PIPL, APPI, PDPA, and DPDP

Asia-Pacific jurisdictions have enacted comprehensive privacy legislation that organisations operating in the region must navigate alongside EU and US requirements. China's Personal Information Protection Law (PIPL), in force since November 2021, creates strict requirements for cross-border data transfer including security assessments, standard contractual clauses, and regulatory filing — with extraterritorial application similar to GDPR. Japan's APPI (Act on Protection of Personal Information) was significantly revised in 2022 with new cross-border transfer requirements. Singapore's PDPA (Personal Data Protection Act) requires notification within three days for significant data breaches. India's DPDP Act (Digital Personal Data Protection Act), passed in 2023, is awaiting implementing rules.

• PIPL (China) — extraterritorial scope, cross-border transfer security assessments, and consent requirements
• APPI (Japan) — 2022 amendments adding opt-out rights, cross-border transfer requirements, and incident reporting
• PDPA (Singapore) — 3-day breach notification for significant breaches, data portability, and access rights
• DPDP Act (India) — comprehensive personal data protection law passed in August 2023 with rules pending
• Cross-border compliance — managing simultaneous obligations across PIPL, APPI, PDPA, and DPDP for Asia-Pacific operations